The Forcepoint X-Labs research team has uncovered a resurgence of AsyncRAT, a sophisticated remote access trojan (RAT) that exploits legitimate platforms such as Python and TryCloudflare for covert malware distribution.
This ongoing campaign reveals increasing abuse of trusted infrastructure to bypass detection mechanisms, highlighting the growing complexity of modern cyber threats.
Phishing Emails as the Initial Vector
The attack begins with phishing emails embedding Dropbox URLs that lure victims into downloading a ZIP file.
This initial payload contains an internet shortcut (.URL) file that triggers a multi-stage chain of malware delivery, culminating in the deployment of AsyncRAT.
The attackers strategically camouflage malicious activities by presenting a seemingly benign PDF as a distraction.
Upon further examination, the .URL file redirects to a TryCloudflare-hosted subdomain containing a .LNK file.
This shortcut file, when executed, executes PowerShell commands to download additional payloads, including a JavaScript (.JS) file.
The JS file, heavily obfuscated, retrieves a batch (.BAT) file, which is responsible for downloading a final ZIP archive containing the main Python scripts and associated binaries.
Python-Based Execution and Process Injection
The downloaded ZIP archive includes Python scripts, such as load.py, which serve as the execution engine for AsyncRAT.
The attackers utilize Python’s ctypes library to allocate memory, create threads, and inject shellcode into legitimate processes like explorer.exe and notepad.exe.
This process injection technique utilizes early-bird APC queue methods to evade detection by antivirus (AV) and endpoint detection and response (EDR) tools.
The Python code also processes several .BIN files embedded within the ZIP archive.
These files contain shellcode for various malware types, including AsyncRAT, VenomRAT, and XWorm.
By leveraging Python’s compatibility with C and system-level operations, the attackers ensure seamless execution, even on machines without pre-installed Python interpreters.
This campaign underscores the increasing trend of attackers exploiting legitimate services, such as TryCloudflare, to host malicious payloads.
The ephemeral nature of these cloud tunnels makes it challenging for security systems to detect and block malicious activity promptly.
Similarly, the use of Python a universally trusted programming language further obfuscates the attack’s intent.
The ongoing AsyncRAT campaign showcases the evolution of cybercriminal tactics, including the abuse of trusted infrastructure such as Dropbox and TryCloudflare.
By employing a multi-layered approach and leveraging tools like PowerShell and Python, attackers create highly obfuscated attack chains that evade traditional detection methods.
Forcepoint’s research team emphasizes the critical need for advanced threat detection mechanisms to counter these sophisticated attacks.
As this trend rises, organizations must adopt proactive security strategies to prevent the exploitation of legitimate tools and services for malicious purposes.
